Azure Point-to-Site VPN certificates with openssl

Problem

You need certificates for your clients on Azure VPN and Windows terminal as well as Azure guides don’t follow your aesthetics.

Solution

The sole dependency is a build of openssl for your platform. Without further due, our first step is to provide Azure with a certificate that we’ll be used to sign/generate per client certificates. We call this the root certificate and by importing it to Azure we trust certificates signed by it. Most of the following commands will ask you to guard the output files with a passphrase, leave them empty until you have a working solution, then follow the guide again and add strong passwords when you’re asked to.

# Generate CARoot private key 
openssl genrsa -aes256 -out MyAzureVPN.key 2048
# Generate a CARoot certificate valid for 10 years
openssl req -x509 -sha256 -new -key MyAzureVPN.key \
-out MyAzureVPN.cer -days 3650 -subj /CN=”MyAzureVPN”

In Azure portal navigate to “Virtual Networks/Manage Certificates/Upload” and import MyAzureVPN.cer. Next we create client certificates by issuing the bellow

# Generate a certificate request
openssl genrsa -out client1Cert.key 2048
openssl req -new -out client1Cert.req -key client1Cert.key \
-subj /CN="MyAzureVPN"
# Generate a certificate from the certificate request and sign it \
as the CA that you are.
openssl x509 -req -sha256 -in client1Cert.req -out client1Cert.cer \
-CAkey MyAzureVPN.key -CA MyAzureVPN.cer -days 1800 \
-CAcreateserial -CAserial serial
# Pack key and certificate in a .pfx(pkcs12 format)
openssl pkcs12 -export -out client1Cert.pfx -inkey client1Cert.key \
-in client1Cert.cer -certfile MyAzureVPN.cer

Last command will output a Windows Certificate Store friendly file.

Now on the client machine you want Azure VPN access double click on client1Cert.pfx and follow the installation dialogues until it reaches your Personal Store. Then again from Azure portal download the appropriate VPN Client and install it. Available networks will now have a new entry click on it to expand hit Connect and Connect once more on the VPN dialogue that popped up. Fingers crossed you are now connected to Azure VPN.

Godspeed